-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-15:15.tcp                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Resource exhaustion in TCP reassembly 

Category:       core
Module:         inet
Announced:      2015-07-28
Credits:        Patrick Kelsey (Norse Corporation)
Affects:        All supported versions of FreeBSD.
Corrected:      2015-07-28 19:58:44 UTC (stable/10, 10.2-PRERELEASE)
                2015-07-28 19:58:44 UTC (stable/10, 10.2-BETA2-p2)
                2015-07-28 19:59:04 UTC (releng/10.2, 10.2-RC1-p1)
                2015-07-28 19:59:11 UTC (releng/10.1, 10.1-RELEASE-p16)
                2015-07-28 19:58:54 UTC (stable/9, 9.3-STABLE)
                2015-07-28 19:59:22 UTC (releng/9.3, 9.3-RELEASE-p21)
                2015-07-28 19:58:54 UTC (stable/8, 8.4-STABLE)
                2015-07-28 19:59:22 UTC (releng/8.4, 8.4-RELEASE-p35)
CVE Name:       CVE-2015-1417

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.

The underlying simple and potentially unreliable IP datagram
communication protocol may deliver segments out of order, therefore,
the TCP receiver would need to reassemble the segments into their
original sequence to provide a reliable octet stream.  Because the
reassembly requires additional resources to keep the queued segments,
historically resource exhaustion in the TCP reassembly path has been
prevented by limiting the total number of segments that could belong
to reassembly queues to a small fraction (1/16) of the total number of
mbuf clusters in the system.

VNET is a technique to virtualize the network stack, first introduced in
FreeBSD 8.0.  It changes global resources in the network stack into per
network stack resources, so that a virtual network stack can be attached
to a jailed prison and the prison can have unrestricted access to the
virtual network stack.  VNET is not enabled by default and has to be
enabled by recompiling the kernel.

II.  Problem Description

There is a mistake with the introduction of VNET, which converted the
global limit on the number of segments that could belong to reassembly
queues into a per-VNET limit.  Because mbufs are allocated from a
global pool, in the presence of a sufficient number of VNETs, the
total number of mbufs attached to reassembly queues can grow to the
total number of mbufs in the system, at which point all network
traffic would cease.

III. Impact

An attacker who can establish concurrent TCP connections across a
sufficient number of VNETs and manipulate the inbound packet streams
such that the maximum number of mbufs are enqueued on each reassembly
queue can cause mbuf cluster exhaustion on the target system, resulting
in a Denial of Service condition.

As the default per-VNET limit on the number of segments that can
belong to reassembly queues is 1/16 of the total number of mbuf
clusters in the system, only systems that have 16 or more VNET
instances are vulnerable.

IV.  Workaround

FreeBSD 8.x, 9.x and 10.x systems that do not make use of VNETs
(option VIMAGE) are not affected.  The support has to be specifically
compiled into a custom kernel, so its use is not common.

For affected systems, the system administrators may consider reducing
the net.inet.tcp.reass.maxsegments tunable to the value of
kern.ipc.nmbclusters divided by one greater than the total number of
VNETs that are going to be used in the system in order to prevent a
Denial of Service via this vulnerability.  For example, if there are
16 VNETs in the system, the net.inet.tcp.reass.maxsegments tunable
should be set to kern.ipc.nmbclusters / 17.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

And reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp.patch.asc
# gpg --verify tcp.patch.asc

[FreeBSD 9.3 and 10.1]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-9.3-10.1.patch.asc
# gpg --verify tcp-9.3-10.1.patch.asc

[FreeBSD 8.4]
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch
# fetch https://security.FreeBSD.org/patches/SA-15:15/tcp-8.patch.asc
# gpg --verify tcp-8.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r285977
releng/8.4/                                                       r285980
stable/9/                                                         r285977
releng/9.3/                                                       r285980
stable/10/                                                        r285976
releng/10.1/                                                      r285979
releng/10.2/                                                      r285978
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1417>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:15.tcp.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.6 (FreeBSD)

iQIcBAEBCgAGBQJVt+FcAAoJEO1n7NZdz2rnOAgQAKw0jR1Eb/USmcXlFpfMrmUr
Z6UWHsPqE9CwDJaFddrFBRyjCsbeBv4LmPyVcOKJoqspEb8P52GtBNDe9vqcco1U
C+KpcQQKWTQmu170AdLAIRVvLjoNEX0C09ig4XMbKpisrmQ8zLXavTbTw8FlbPXq
o9t0nFgPKsDfaXJF3Oas41K/NsBj4hdqnfx+R7KeOaJ6sSwiFGbRxqQ+GG3k+79a
RI+KVLpw4QV/IkhXKzl416o6uk7eWnJu72GohdrxPvXYWHBVSBkSiT7pLl3O5C7r
7+dpYyF9f4K0gnXLuATNixNS2/lL2WaJANb75ku7WnY2I5Yjx1oM2r5kE2eJ6Z/c
WXGnDE9/8SOVURqMwnpQgzVGopKZags0+X7FJAYKeW4/nWyUEAmDlQ+9dY7o/I0M
urFD+bsSxnrlGLLzjX55zKM1qyGlhNokowSusVeNlSEOl8/QV57CuyQDZ0wdAiUd
R2yl+fFxRKn4AeCMuKkEsoExLhISI7Uuz8Hjia7g0yJWfYjEjAWLcFpan/QmhwcP
4PMg+2ZuPC0uUoXqCMBqu3d0NAaae4cOCzx8WCZUaaF3DwhRnUcld+XesV/h3SNo
kn3ygFyOVWrCd7bSsEd00qqUwUN/cp/uYTqlbI9im89Emaa7/mYR/i3sq2/MRagr
2oio8OdZ8wwRuER4Jpq9
=PC1V
-----END PGP SIGNATURE-----
